Capricorn86 Happy-Dom vulnerabilities
5 known vulnerabilities affecting capricorn86/happy-dom.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH2
Vulnerabilities
Page 1 of 1
CVE-2026-33943P2CRITICALCVSS 9.8v>= 15.10.0, < 20.8.82026-03-27
CVE-2026-33943 [CRITICAL] CWE-94 CVE-2026-33943: Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In v
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts
ghsanvdosv
CVE-2024-51757P3CRITICALCVSS 9.3fixed in 15.10.22024-11-06
CVE-2024-51757 [CRITICAL] CWE-79 CVE-2024-51757: happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Vers
happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag. This would execute code in the user context of happy-dom. Users are advised to upgrade to version 15.10.2. There are no known workarounds for this vulnerability.
ghsanvdosv
CVE-2025-61927P3HIGHCVSS 7.2fixed in 20.0.22025-10-10
CVE-2025-61927 [HIGH] CWE-94 CVE-2025-61927: Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Happ
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks. A Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM
ghsanvdosv
CVE-2025-62410P3CRITICAL≥ 19.0.0, < 20.0.22025-10-15
CVE-2025-62410 [CRITICAL] CWE-1321 happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
### Summary
The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads.
### Details
The untrusted script and the rest of
ghsaosv
CVE-2026-34226P3HIGHCVSS 7.5fixed in 20.8.92026-03-27
CVE-2026-34226 [HIGH] CWE-201 CVE-2026-34226: Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Vers
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes
ghsanvdosv